Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Loop through array in KQL

Copper Contributor

Hi, I've been exploring parsing and noticed that when parsing xml you get dictionaries and arrays.

 

You can't pass those in functions, but you can pass a var of type dynamic, but then to loop you have to make a table and join the table with the query that you ran. Does anybody have any idea of how to loop through an array, I couldn't find anything around this?

5 Replies

@LodewykV There certainly doesn't appear to be any sort of looping mechanism.  Is there any particular reason you do not want to convert your array into a table to use with a join command?

@Gary BusheyHi Gary, the main reason would be so that I could make use of data that I pull in form external sources via API calls, as well as using custom connectors and merging them on to existing connectors.

 

Another reason would be to be able to enrich existing analytical rules.

@LodewykV All of that can be done using tables and either join or union commands.  I would recommend looking at the "externdata "  and the Watchlist functionality to get external data

@Gary BusheyHi Gary, thanks for the recommendation. I'm using the externaldata operator to do an api call and am parsing the data using mv-expand and parse_json, although I've got to use the loop functionality in playbooks to be able to do what I want to do.

 

I'll have a look at watchlists though.

@LodewykV : to look throuhg an array, use mv-apply. Sometimes not exactly looping, mv-expand is sometimes more useful. 

 

@Gary Bushey